Intel Focuses on Strengthening Authentication on Windows Machines

Intel is readying multifactor authentication that stores and processes encrypted credentials on its CPUs, aiming to change the way commercial users access Windows using a combination of biometrics, PINs and one-time passcodes.

Biometric authentication is rapidly becoming the vogue thanks to the growing use of Touch ID on iPhones and iPads and TouchWiz on Samsung Galaxy devices. Increasingly, PC users with brand-new laptops can log in using facial recognition or an embedded fingerprint scanner on the device's keyboard using Windows Hello, the function in Windows 10 that aims to obviate the use of passwords in favor of stronger authentication techniques provided in the new OS credential registry, called Passport. In addition to biometric authen­tication, the use of one-time passcodes -- typically sent to a device via SMS -- has become a more common form of handling access to a growing number of public Web sites. Combine these two forms of authentication along with others, such as location, and you have multifactor authentication (MFA).

The use of MFA to access PCs and secure networks is famil­iar to those who work in the most sensitive environments such as government and military agencies handling classified information, health care organizations, and financial institutions using specialized key encryption offerings from the likes of RSA Security from EMC Corp. If Intel Corp. has its way, MFA will change the way most people log in to their enterprise PCs. At the very least, it'll be a readily available option to IT organizations that want to require it, if not always, then under certain conditions such as when logging in remotely.

Intel, whose processors are in an estimated 90 percent of all commercial Windows PCs, is now in the early stages of rolling out a new capability that'll allow IT administrators to require two or more forms of authentication in order to access their computers and corporate networks. The new technology, called Intel Authenticate, is available in preview for any PC outfitted with the company's newest 6th Generation Core processor (code-named "Skylake"). Intel Authenticate provides hardware-based authentication, meaning the user's credentials and an organization's system access policies are stored within the processor's firmware.

Rising Credential TheftHardware-based authentication is a more secure way than Windows or third-party security software to ensure a system can't be compromised, according to Tom Garrison, VP and general manager of Intel business client products. Intel Authenticate is optimized for Windows 10, but the company said it'll work with Windows 7 and Windows 8.1, as well. The company sees a huge opportunity to boost demand by businesses for PCs based on its latest processors. By Intel's own estimates there are 117,000 cyberattacks on corporate systems every day and 750 million PCs are currently vulnerable to credential theft. Citing Verizon's "Data Breach Investigation Report," Intel says more than half of all breaches are the result of stolen or misused credentials. Intel Authenticate can prevent credential theft in ways traditional passwords, Windows Hello and other forms of authentication can't, Garrison explains. "It's hardened multifactor authentication," he tells Redmond. "What we're providing is an even better security capability because it's rooted in hardware and therefore all the software classes of attack like simple phishing techniques or key-loggers, or screen scrapers, those kind of more traditional attacks will not work with Authenticate, because the credentials themselves are all stored in hardware."

Indeed, while Windows Hello last summer introduced an alternative to passwords, it's currently limited to one factor. While Windows Hello and Passport can be one of the factors in an MFA chain, using hardware-based authentication offers more assurance that credentials can't be attacked at the software layer and through social engineering, Garrison says. "There are other classes of attacks where the credentials are actually removed from the PC when they're stored in the software layer," he says. "All of those classes of attacks are thwarted with Intel Authenticate."

Ultimately, Intel Authenticate will come with every PC with a 6th Generation processor, though because of that CPU's leap in performance, Garrison explains it won't work on CPUs with 5th Generation or earlier processors. Intel in late January released the technology for anyone to test in preview mode by downloading a firmware update.

The Different Factors
Systems administrators can deploy Intel Authenticate in a number of ways. Through policy management tools running under Intel's own McAfee ePolicy Orches­trator (ePO), Microsoft System Center Configuration Manager (SCCM) or Active Directory, organ­izations can create policies that require MFA all the time, or under certain conditions. Perhaps when accessing a system outside of the office, IT will want employees to use multiple factors while using a single one at their desks. Intel Authenticate, according to the company, lets IT use a variety of hardware-enhanced authentication factors to validate a user's identity, including something the user can enter such as a PIN (via a protected screen-based PIN-pad), a mobile phone using Bluetooth, or nearfield communications and biometrics. Intel Authenticate also can lock down a PC when its designated user's presence isn't detected. According to Intel, identities are verified by using a combination of those and other hardened factors at the same time.

"What we're providing is an even better security capability because it's rooted in hardware."

Another factor it supports is logical location. That means if the user logs in on a known (trusted) network, it may offer single-factor authentication. But if the user connects from a public or untrusted network, the user can only gain access using multiple factors, which are determined by what IT specifies in the policy engine. Logical location is the only factor that's required for the Intel vPro technology, which offers higher levels of security and management than the company's processors without that feature. Introduced back in 2007, vPro is offered in commercial systems and includes Intel Active Management Technology (AMT), with extended manageability and security built into the chipset, processor and network interface. It includes Intel Setup and Configuration Software and allows for management of systems even if they're powered off, and more recent releases store keys on the chipsets rather than the hard drive.

Analysts believe only the largest of enterprises have deployed vPro. Intel hasn't disclosed how many systems with vPro are in use, but Garrison said at a media briefing in late January to launch Intel Authenticate that over the past year the number of activations has doubled.

Windows Hello: Friend or Foe?
The arrival of Intel Authenticate brings up the question: Will it compete with Windows Hello and Passport biometric authen­tication technology or is it additive? Garrison insists the two technologies are complementary and that administrators can let users enroll their credentials with Windows Hello when setting Intel Authenticate. "With Authenticate we use that enrollment from Microsoft so you don't have to enroll multiple times," Garrison says. "We will use the same enrollment. The partnership we have with Microsoft is very broad. We know how the enrollment works and our goal is obviously from a user-experience standpoint, to make sure that the experience is positive for the people that are using Authenticate so they don't have to have multiple enrollments. They can do it once and use it in a Windows 10 context or in an Authenticate context."

Garrison says in the coming months the two companies will be jointly marketing the security benefits of running Windows 10 on systems with the new Skylake processors. "We will be telling this joint story about security and manageability and all of the productivity enhancements you get from having the most modern operating system coupled with the most modern hardware platforms," he says. When asked about those joint efforts, Microsoft offered only the following statement about Windows 10 security:

"We have made significant security investments in new features like Microsoft Passport, Windows Hello, Azure Active Directory, BitLocker, Enterprise Data Protection and Device Guard to protect against today's evolving set of security threats. That said, system support for biometric authentication and enterprise grade two-factor authentication in Windows 10 via Windows Hello and Microsoft Passport help protect business data and online experiences without the need for regularly changing passwords. Organizations that deploy Microsoft Passport and Windows Hello will make it much more difficult for cybercriminals to conduct disruptive acts."

Pressed to comment specifically about its work with Intel on Authenticate last month, a Microsoft spokesperson said it has no further comment at this time.

When it comes to MFA, Microsoft's emphasis on Windows to date has primarily rested on the more pervasive industry standard Trusted Platform Module (TPM), a chipset found on most commercial PC motherboards that generates, stores and restricts the use of cryptographic keys. The TPM chip can be used for device authentication using a unique, burned-in RSA key designed to ensure secure authentication. Since the release of Windows Vista, Microsoft has made use of a system's TPM using its BitLocker drive encryption, which debuted with that OS. Microsoft has enhanced BitLocker in Windows 10 with support for the XTS-AES encryption algorithm, while allowing key recovery via Azure Active Directory, DMA port protection using MDM policies to block ports, and support for Group Policy for configuration of a pre-boot recovery.

Windows 10 can make improved use of the TPM, as well. The TPM with the new OS adds support for the new Microsoft Passport, which allows for the replacement of passwords via Windows Hello biometric authentication or a PIN. Microsoft Passport allows users to authenticate to a Microsoft Account, Active Directory, Azure AD or via any device that supports Fast ID Online (FIDO) authentication. Also leveraging TPM in a Windows 10 Enterprise Edition-based system is Device Guard, which makes use of new virtualization-based security by isolating the Code Integrity service from the Windows kernel, which lets signatures based on enterprise policies determine what's trustworthy. Yet another new component in Windows 10 making use of the TPM is Credential Guard, which is designed to protect against credential theft by only allowing privileged system software to access it. It, too, protects credentials by isolating them from the OS, according to Microsoft.

TPM Challenges
TPM modules were one of the first substantial hardware security components that went into PCs, says Endpoint Technologies Associates Principal Analyst Roger Kay. "They're on hundreds of millions of PCs, really an incredible number," Kay says. "And, yet, the number of companies using Trusted Platform Module in their security scheme are really limited. I don't know how many, but not very many. It's more the exception than the rule."Garrison echoes that view, saying Intel Authenticate promises to have wider and more mainstream appeal. "I think TPM, in general, is an example of an interesting technology that wasn't, what I would say, broadly adopted. The reason I think [that] is the use cases of TPM were relatively limited. What we are trying to do with Authenticate is focus on a use case and a threat that is a broad exposure. And a use case that's done every single day, multiple times a day. We are making the overall experience positive from a user standpoint. TPM is a solution that delivers a higher level of trust, but it's primarily the user who doesn't really care about it. It's the IT organization that would care about it. With Authenticate, you're getting the value of a more trusted machine, which is what the IT shop would care about. And, you're getting a better user experience because to the user it'll look like they don't have any more passwords."

Intel Authenticate prompting a user to authenticate with the PC fingerprint scanner, which can access credentials stored in the CPU.

Impact on Commercial PC Demand
As of mid-February, Microsoft didn't want to discuss how, or even if, some of its new hardware-based encryption capabilities in Windows 10 Enterprise will work with Intel Authenticate. Suffice it to say, some tension between the two companies, despite their longstanding partnership over the years, arose. The most recent potential conflict surfaced when Microsoft in January said it will not support Windows 7 and Windows 8.1 on the vast majority of Skylake-based systems after July 17, 2017, despite the fact that the company previously promised to support Windows 7 until 2020. That could pose an impediment for Intel's efforts to drive PC refreshes because the largest of enterprises may not have decided to move to Windows 10 within that time frame, meaning any system upgrades will be on an as-needed basis consisting of lower-margin 4th and 5th Generation-based hardware (In this month's Windows Insider column on p. 30, Ed Bott weighs in on the implications of that decision.) Commercial PC shipments declined 8.2 percent last year, according to IDC, which is forecasting 1.8 percent decline for 2016, a considerable improvement, the market researcher said in an analyst bulletin about Intel Authenticate.

"If Intel's message catches on, it could provide a much-needed boost to the PC OEMs in a soft PC market," IDC's research note stated. "Organizations looking to reach the bleeding edge of endpoint security will have to refresh to new Skylake-based PCs to obtain the Authenticate feature in addition to the performance gains achieved when upgrading from older PCs to the 6th Generation Core. In many instances Authenticate is made better with higher-end PCs -- the PIN authentication is a safer and easier experience on a touch PC." In IDC's most recent PC and tablet survey of 502 IT decision makers in December, 61 percent said security was "overwhelmingly" their No. 1 concern.

Whatever technology overlap or conflicting business interests lie between Intel and Microsoft, they're not likely to hinder cooperation in a major way. Intel Authenticate doesn't conflict with Microsoft's new security features in Windows 10, Garrison insists, noting his company's support for the FIDO standards that Microsoft has helped co-sponsor. "They don't conflict," he says of the new security features in Windows 10 and Intel Authenticate. "Some of them are completely unrelated, but for example, with Hello versus Authenticate, Microsoft will give you a set of choices of which factors to use. And those factors -- you can use face, a password and [others] -- but their implementation is based on what we call a software implementation, so it's visible at the software level and, therefore, you could be exposed to certain classes of attacks in that case."

Garrison is also emphatic in his declaration that Intel and Microsoft are working closely together and those efforts will become apparent over time. "We've got deep engineering engagement between the two companies," he says. "As they have either OS features or us with hardware features, we work collaboratively in that sense. That's the same way we're going with Authenticate. Our engagement right now has been very much focused on making sure that Authenticate [works] seamlessly with Windows 10, as well as Windows 7 and Windows 8.1. Longer term, from an Intel perspective, our goal is that Windows authentication will use the security capabilities that are built into the 6th Generation platforms and beyond."

Interaction with Other Authentication Providers
It's still too early to tell to what extent multifactor authentication will take hold in commercial and enterprise environments even with the debut of Intel Authenticate, but integrating with Windows is one facet, though a key one, that the company must address. Intel must also do so with established providers of encryption and MFA technology including RSA Security, among others.

"They're very interested in Authenticate because one of the limitations with some of those other solutions, for example hardware tokens, is those tokens are a pain point for their customers," Garrison says. Kayvan Alikhani, RSA's senior director of technology, is looking at Intel Authenticate closely. "It makes sense for some of these authentication methods to end up at the hardware root of trust at some level of installation and their ability to be not tied to the rich operating system," Alikhani says. "In this case Intel is obviously moving in that direction. You really cannot beat firmware-based approaches from a strength and a security perspective. The challenge is the upgradeability, the manageability, the serviceability, because you end up with a level that is rarely upgraded by end users. The upgrade is a little more tricky than what you get from a daily or weekly upgrade from a Windows or iOS or Android perspective."

Also to be determined is to what extent PC vendors integrate and evangelize Intel Authenticate versus overlaying their own authentication techniques. For one, Garrison says all the major OEMs plan to support Intel Authenticate in one way or another. One new piece of hardware slated to make use of it is the new Lenovo ThinkPad X1 Carbon. Lenovo has a hardened finger­print solution that takes advantage of Intel Authenticate, built with a hardened factor. Other PC vendors are looking at soft factors that are invisible to OS.

"Obviously from our perspective, the more you can choose hardened factors, each of those individual factors is more robust and less likely to be compromised," Garrison says. "But over time, you'll see more factors come in from us. We'll be adding things like hardened facial log in. You'll see other biometrics come in from other OEMs. I can't discuss the details but suffice it to say, there will be other biometrics coming in."

Over time, Garrison hints that Intel Authenticate will move beyond just identity. "Our strategy is to build upon the security capabilities of the PC, to be able to add capabilities in it, with data protection being an example of an area where we can add more capability that significantly improves the protection of data -- in motion or at rest -- on a PC."

Microsoft updated an August security advisory this week to urge organizations using the Lightweight Directory Access Protocol in supported Windows systems to implement some configuration changes manually.